Oracle patches widespread Java zero-day bug in three days (Updated)

Earlier this week, a security hole in the latest version of Java was being "massively exploited in the wild." Hackers were turning compromised websites into platforms for installing silent keyloggers or other malicious software. And at the time news broke, even fully patched Java installations were at risk.

Krebs reports this update changes the way Java handles Web applications. From the company's advisory:

“The default security level for Java applets and Web start applications has been increased from 'Medium' to 'High.' This affects the conditions under which unsigned (sandboxed) Java Web applications can run. Previously, as long as you had the latest secure Java release installed applets and Web start applications would continue to run as always. With the 'High' setting the user is always warned before any unsigned application is run to prevent silent exploitation.”

As Krebs acknowledges, it's nice that Oracle acted so quickly in the face of such an attack. However, the rule with Java remains: if the program isn't absolutely necessary to your day-to-day, the safest route is avoiding it entirely.

Update: On Sunday evening, Microsoft issued an advance notification to customers that on January 14 at 10:00 a.m. PST, the company would "release an out-of-band security update to fully address the issue described in Security Advisory 2794220." This separate security, emergency security update should address a vulnerability in Internet Explorer that could've allowed remote code execution.

It might've been nice for Oracle to clarify for us Mac users that this new Java has a minimum requirement of Lion before wasting our time downloading it. Anybody have any idea which version works with Snow Leopard and if that version has this bug fixed?

It might've been nice for Oracle to clarify for us Mac users that this new Java has a minimum requirement of Lion before wasting our time downloading it. Anybody have any idea which version works with Snow Leopard and if that version has this bug fixed?

It doesn't appear that Java 6 is affected by this particular bug, and I think that's what version Apple shipped with 10.6.

I don't get why Java and flash, are so prone to bugs, are they just badly coded? is it the type of software they're making? (especially in the case of Java, which is basically a miniOS running on top of another OS.)

I'm all for Oracle bashing, but since when is three days to patch a zero-day no longer good?

No, it is bad. Oracle needed three days to implement such a trivial change? I'll bet the patch diff looks like this:

< security_level = MEDIUM;---> security_level = HIGH;

Yep as we all know, the really important and time consuming parts of developing software is actually changing the code and not everything else!

marcusj0015 wrote:

I don't get why Java and flash, are so prone to bugs, are they just badly coded? is it the type of software they're making? (especially in the case of Java, which is basically a miniOS running on top of another OS.)

Short summary of the problem: at SE. Basically it's really hard to write a correct sandbox implementation, especially with such a huge library with hundreds of dangerous system calls in it as Java does. You'll notice that chrome's sandbox implementation for example had just the same problem and probably still contains some undetected flaws and their attack surface is probably smaller.

Oracle needs to get with the update game... either provide the ability to update without admin privilege or stop making the software... Any high profile software for attack (browser, java, flash, etc..) should be 100% auto update by default, and all without admin requirements.

Oracle needs to get with the update game... either provide the ability to update without admin privilege or stop making the software... Any high profile software for attack (browser, java, flash, etc..) should be 100% auto update by default, and all without admin requirements.

^ This. I'm so tired of seeing co-worker's computers reminding that there's a Java update (and, from what they tell me, has been for weeks), but the users can't install it themselves. There are only two people in the company with the right credentials to update it...and there are ~350 machines spread across 5 sites.

Oracle needs to get with the update game... either provide the ability to update without admin privilege or stop making the software... Any high profile software for attack (browser, java, flash, etc..) should be 100% auto update by default, and all without admin requirements.

^ This. I'm so tired of seeing co-worker's computers reminding that there's a Java update (and, from what they tell me, has been for weeks), but the users can't install it themselves. There are only two people in the company with the right credentials to update it...and there are ~350 machines spread across 5 sites.

Even with a fully managed environment with SCCM, or altiris , etc.. its a pain in the butt... At this point I dont care about version numbers, if I have a user THAT needs a certain version of something then I simply give them a hardened VM... its just not worth the risks anymore...

But we have tons of resources that require java (edu resources, and some banking stuff), but none are version dependent, so let the updating begin. I could care less if there are security issues with software if there is a great update mechanism in place, and a fairly quick turn around. (chrome, flash, etc.. all work great now with their auto updates...)

I can easily disable Java across our environment in a snap... but pushing out updates is a royal pain....

Oracle needs to get with the update game... either provide the ability to update without admin privilege or stop making the software... Any high profile software for attack (browser, java, flash, etc..) should be 100% auto update by default, and all without admin requirements.

I don't get why Java and flash, are so prone to bugs, are they just badly coded? is it the type of software they're making? (especially in the case of Java, which is basically a miniOS running on top of another OS.)

Big products installed across platforms, and installed so many places... It is a HUGE target, and unlike most attack vectors that are platform specific, these attacks are often across platforms... Making the gains that much more from a single exploit.

The java web stuff is outdated anyway, please don't use java on your web browser, its just a bad idea regardless of what OS you run. If you come to a site you have to have ( work, shcool etc ), thats the only time you should allow it. A lot of misinformed people think java is terrible yet it really is king in server side programming, its got no place in client side web apps however and never should have.

"As Krebs acknowledges, it's nice that Oracle acted so quickly in the face of such an attack."

Um, I've read reports that Oracle was informed of this bug back in Sept 2012, so they DID NOT act very quickly. They only did something about the problem when somebody started using the attack in a widespread manner and the attack was reported by a number of news outlets.

If either of those things did not happen, Oracles response would be "meh".

I don´t fully understand Oracle behind this type of update philosophy. Neither I do Microsoft. Every time something like this goes to the press I read so many comments of people uninstalling for example Java. This is only bad for them. People are trying not to use their software and just like people uninstalling Flash, its reducing their market share. Less market, less people will want to code any apps for them. So less people will pay them.

Are they so dumb? If this was mentioned in 2012, and they just said "nobody is exploiting it yet" we will fix it, then I honestly would not touch their products ever, not even their database products. Any company that takes security bugs as second class issues they will sometime fix, does not deserve to sell their software either. If I want to wait months for a bug I can just keep using open source, and even that does not take long to get bug fixes. So why would someone pay expensive enterprise software from Microsoft or Oracle if they are so slow fixing bugs?

Microsoft is exactly the same with their products. Sometimes they take months to fix security issues. Most of the time they just push it to the next Tuesday update, really? If they have a fix now, they should release it now, not tomorrow. This is particular true for Explorer, people use their browser every day, not once a week. Chrome tends to send a security 1 or 2 days after it was discovered. Java is great, the problem is Oracle, not Java.

Oracle needs to get with the update game... either provide the ability to update without admin privilege or stop making the software... Any high profile software for attack (browser, java, flash, etc..) should be 100% auto update by default, and all without admin requirements.

^ This + no toolbars in the bloody installer!

This is one of the more annoying things software companies do on a regular basis. "You want our software? Oh, you'll probably want this junkware as well - default is yes, just click that 'next' button".

Can someone please explain to me the difference between Java and JavaScript? I am only a demi-nerd, and need to know what settings I should use in Chrome.

Microsoft is exactly the same with their products. Sometimes they take months to fix security issues. Most of the time they just push it to the next Tuesday update, really? If they have a fix now, they should release it now, not tomorrow. This is particular true for Explorer, people use their browser every day, not once a week. Chrome tends to send a security 1 or 2 days after it was discovered. Java is great, the problem is Oracle, not Java.

Ever stop to think that pushing out an update informs others of flaws. There is a priority sequence... unless you are running critical infrastructure, you aren't priority #1.

Microsoft is exactly the same with their products. Sometimes they take months to fix security issues. Most of the time they just push it to the next Tuesday update, really? If they have a fix now, they should release it now, not tomorrow. This is particular true for Explorer, people use their browser every day, not once a week. Chrome tends to send a security 1 or 2 days after it was discovered. Java is great, the problem is Oracle, not Java.

You do realize that most companies take days, if not weeks, to rollout updates, because kf the resources and risks involved?

By standardizing the update schedule, MS has made this process more manageable, which means that companies deploy these updates far quicker.

In the meanwhile MS hasn't alerted all the bad guys about the flaws they can exploit while companies get to deploying their updates.

I don´t fully understand Oracle behind this type of update philosophy. Neither I do Microsoft. Every time something like this goes to the press I read so many comments of people uninstalling for example Java. This is only bad for them. People are trying not to use their software and just like people uninstalling Flash, its reducing their market share. Less market, less people will want to code any apps for them. So less people will pay them.

You really think Oracle cares about Java's marketshare on client side web programming? Aka the one technology that hasn't been seriously been used by anybody in the last 8 years? (generous here)

Oracle knows just as well as everybody else that Java's future isn't on the client side of things, it's the serverside, which as you may notice is generally much less concerned with security problems and has a much larger marketshare to begin with.

Oracle needs to get with the update game... either provide the ability to update without admin privilege or stop making the software... Any high profile software for attack (browser, java, flash, etc..) should be 100% auto update by default, and all without admin requirements.

^ This. I'm so tired of seeing co-worker's computers reminding that there's a Java update (and, from what they tell me, has been for weeks), but the users can't install it themselves. There are only two people in the company with the right credentials to update it...and there are ~350 machines spread across 5 sites.

They should be centrally deploying it. Java can be deployed using nothing but the software management tools provided with Active Directory.

And something I find particularly funny is that Oracle's readme for MacOSX references a amd64 version of the JRE...

Apple uses Intel-based chipsets for their PC's these days.The simple (and not fully accurate) explanation is that Java implements the AMD64 instruction set, which is supported by Intel chipsets, as opposed to writing a fully unique implementation for each and every chipset. You'll find this in other areas as well, for example if you decide to throw a distro of Debian Linux onto an Intel64 chipset you download the AMD64 package.

The java web stuff is outdated anyway, please don't use java on your web browser, its just a bad idea regardless of what OS you run. If you come to a site you have to have ( work, shcool etc ), thats the only time you should allow it. A lot of misinformed people think java is terrible yet it really is king in server side programming, its got no place in client side web apps however and never should have.

This.

Besides security issues, there is another great reason to keep these apps server-side: client processing load. With more Web traffic moving to mobile devices, battery draining tasks should be kept to a minimum. And, conscientious admins will probably be better at critical updates to the server than many clients will be to their devices.